Host Hardening Chapter 6 Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall
2 Figure 6-1: Hardening Host Computers The Problem Computers installed out of the box have known vulnerabilities Not just Windows computers Hackers can take them over easily They must be hardened—a complex process that involves many actions
3 Figure 6-1: Hardening Host Computers Elements of Hardening Physical security (Chapter 2). Secure installation and configuration Fix known vulnerabilities Turn off unnecessary services (applications) Harden all remaining applications (Chapter 9) (more on next page)
4 Figure 6-1: Hardening Host Computers Elements of Hardening (continued) Manage users and groups Manage access permissions For individual files and directories, assign access permissions specific users and groups Back up the server regularly Advanced protections
5 Figure 6-1: Hardening Host Computers Security Baselines Guide the Hardening Effort Specifications for how hardening should be done Different for different operating systems Different for different types of servers (webservers, mail servers, etc.) Needed because it is easy to forget a step
6 Figure 6-1: Hardening Host Computers Server Administrators Are Called Systems Administrators A sysadmin manages one or several servers—not necessarily all of a firm’s servers Sometimes, groups of sysadmins manage multiple servers New
7 Figure 6-1: Hardening Host Computers Windows Computers Microsoft Network Operating Systems (NOSs) LAN Manager (LANMAN) Windows NT Server Windows 2000 Server Windows 2003 Server (called.NET in the book) Graphical user interface looks like client versions to ease learning (Figure 6-2)
8 Figure 6-2: Windows 2000 Server User Interface
9 Figure 6-1: Hardening Host Computers Windows Computers Administrative Tools Group under Programs has Microsoft Management Consoles (MMCs) (Figure 6-3) Used to conduct most administrative actions Can add snap-ins for specific functionality
10 Figure 6-3: Computer Management Microsoft Management Console (MMC) System Tools snap-in
11 Figure 6-1: Hardening Host Computers Windows Computers Windows 2000 introduced hierarchical domain structure with Active Directory Domain is a collection of resources Domain contains one or more domain controllers, member servers, client PCs Group policy objects (GPOs) on a domain controller can implement policies throughout a domain
12 Figure 6-1: Hardening Host Computers UNIX Many versions of UNIX LINUX is a set of versions for PCs—there are several different distributions User can select the user interface—GUI or command-line interface (CLI) CLIs are called shells (Bourne, BASH, etc.) CLIs have picky syntax, capitalization, and spacing
13 Figure 6-1: Hardening Host Computers Internetwork Operating System (IOS) For Cisco Routers, Some Switches, Firewalls Other Host Operating Systems Macintosh Novell NetWare Firewalls Even cable modems with web-based management interfaces
14 Figure 6-4: Installation and Patching Installation Offers Many Options, Some of Which Affect Security For example, in Windows, the NTFS file system is better for security than FAT32 Need a security baseline to guide option choices during installation
15 Figure 6-4: Installation and Patching Known Vulnerabilities Most programs have known vulnerabilities Exploits are programs that take advantage of known vulnerabilities
16 Figure 6-4: Installation and Patching Known Vulnerabilities Vulnerability reporters send vulnerability reports to vendors Vulnerability reporters often say that vendors take too long to fix vulnerabilities Vendors say that vulnerability reporters do not give them enough time, report too much detail to the press
17 Figure 6-4: Installation and Patching Fixes Work-around: A series of actions to be taken; no new software Patches: New software to be added to the operating system Upgrades: Newer versions of programs usually fix older vulnerabilities.
18 Figure 6-4: Installation and Patching Upgrades Often, security vulnerabilities are fixed in new versions If a version is too old, the vendor might stop offering fixes It might be good to wait to upgrade until after the first round of bug and security fixes
19 Figure 6-4: Installation and Patching Mechanics of Patching Microsoft Windows Server Windows Update on Start menu (Figure 6-2) in Windows 2000 Automatic notification of update availability in Windows 2003 LINUX distributions often use rpm for updates
20 Patching
21 Figure 6-4: Installation and Patching Patches Often Are Not Applied Companies get overwhelmed by number of patches Use many products, vendors release many patches per product Especially a problem for application programs
22 Figure 6-4: Installation and Patching Patches Often Are Not Applied Cost of Patch installation Mitigated by patch servers that distribute patches to general servers More easy-to-use vendor tools are needed Might simply lack the resources to apply all; might be selective
23 Figure 6-4: Installation and Patching Patches Often Are Not Applied Risks of Patch installation Reduced functionality Freeze machines, do other damage—sometimes with no Uninstall possible Should test patch on a test system before deployment Special problem for mission-critical production systems that must work
24 Figure 6-5: Turning Off Unnecessary Services Unnecessary Services Operating system vendors used to install many services by default This made them easier to use. When use changes, services do not have to be turned on. Attackers have found flaws in many of these rare services
25 Figure 6-5: Turning Off Unnecessary Services Unnecessary Services Vendors now install fewer services by default—lock down mode Turn to security baseline to see what services to turn on and off Easier to install too few and add than to install too many and remove unwanted services
26 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In Windows Server Go to the Computer Management MMC On the tree, select Services and Applications (Figure 6-6) Status tells whether the service is active Startup tells how the service is started (automatic, manual, disabled, etc.) Right click on a service or select and choose Action to stop a service, start it, disable it, etc.
27 Figure 6-6: Services and Applications in Windows
28 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In UNIX Three ways to start services inetd to start services when requests come in from users (Figure 6-7) rc scripts to start services automatically at book up (Figure 6-8) Start a service manually by typing its name or executing a batch file that does so
29 Figure 6-7: UNIX inetd Daemon for Responding to Client Requests Program A Program B Program C Program D inetd Port 23 Program A Port 80 Program B Port 123 Program C Port 1510 Program D 1. Client Request To Port Start and Process This Request 3. Program B 2. Port 80 inetd.config
30 Figure 6-8 The UNIX rc.d Method of Automatically Starting Services /etc/rc.d 1. Script for Service A 2. Script for Service B 3. Script for Service F 4. Script for Service H rc0.d [scripts to run during System Mode 0-shutdown] K2... [Run the Kill portion of Script 2: Kills Service B] K3... [Run the Kill portion of Script 3: Kills Service F]... rc.d directory Scripts for services. Contain scripts to start or kill services. Directory rc0.d. Subdirectory of rc.d. Contains scripts to run start or kill portions of scripts in rc.d directory. These scripts are executed if run mode 0 occurs—system shutdown
31 Figure 6-8 The UNIX rc.d Method of Automatically Starting Services rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d [scripts to run during System Mode 6-startup] S1... [Run the Start portion of Script 1: Starts Service A] S2... [Run the Start portion of Script 2: Starts Service B]... rcs.d [scripts to run during System Mode s—single-user mode] Other subdirectories of rc.d for scripts to execute in different run modes, such as run mode 6—startup
32 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In UNIX Identifying services that are running at any moment ps (processor status), usually with –aux parameters, lists running programs Shows process name and process ID (PID) netstat tells what services are running on what ports
33 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In UNIX kill PID to kill a particular process kill 47 (If PID=47) Add parameters –SIGTERM, -SIGHUP, -SIGKILL in order of increasing urgency kill 47 –SIGTERM (PID = 47) Only kills for now. Must search inetd.config, rc scripts, batch files to see where it is being started automatically. Difficult to do.
34 Figure 6-9: Managing Users and Groups Introduction Every user must have an account There can also be groups Can assign security measures to groups These measures apply to the individual group members automatically Faster and easier than assigning security measures to individuals
35 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows Computer Management: Local Users and Groups snap-in (Figure 6-10) Select Users Select user from list Right click on user and select Properties: password restrictions, disable box Or select Action: change password, etc. Add, delete users
36 Figure 6-10: Users and Groups in Windows
37 Figure 6-11: Windows User Account Properties To get this screen, right click on user account in Figure 6-10, select Properties
38 Figure 6-12: Creating a New User in Windows
39 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows Select user from list Administrator is the super account Change its name and create a new Administrator account with no permissions Administrators should not log in as Administrators; log in as their own account, use RunAs to get temporary Administrator status when needed
40 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows Select user from list Guest account should be disabled (the default during installation)
41 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows Select Groups Assign rights to groups Standard groups: Administrators, Power Users, Backup Operators, etc. Have appropriate permissions by default for their tasks
42 Figure 6-9: Managing Users and Groups Managing Users and Groups in UNIX Different versions of UNIX do this differently, so it is difficult to talk in general terms The super account is root su (switch user) allows administrators to log in as regular accounts, su to get root privileges when desired Guest account should be disabled
43 Figure 6-13: Managing Permissions Principle of Least Permissions: Give Users the Minimum Permissions Needed for Their Job More feasible to add permissions selectively than to start with many, reduce for security
44 Figure 6-13: Managing Permissions Assigning Permissions in Windows (Figure 6-14) Right click on file or directory in My Computer Select Properties, then Security tab Select a user or group NOT done through the start menu, selecting Administrative Tools
45 Figure 6-14: Assigning Permissions in Windows To bring up this screen, right click on a folder, select Properties. Click on Security tab
46 Figure 6-13: Managing Permissions Assigning Permissions in Windows (Figure 6-14) Click on or off the 6 standard policies (permit or deny) List Folder Contents (see what is in a directory) Read (read only) Read and Execute (for programs) Write (change files) Modify (Write plus delete) Full control: all permissions
47 Figure 6-13: Managing Permissions Assigning Permissions in Windows (Figure 6-14) Click on or off the 6 standard policies (permit or deny) For more fine-grained control, 13 special permissions collectively give the standard 6 This gives highly granular access controls, especially compared to UNIX (next)
48 Figure 6-13: Managing Permissions Assigning Permissions in UNIX ls -l shows details of files and directories in long format First character is - for a file, d for a directory Ends with name of file or directory -rwxr-x---1 root... purple.exe drw-r brows... reports -rw-rw-r--1 lighter... bronze.txt Note: purple.exe is a file; reports is a directory. What is bronze.txt?
49 Figure 6-13: Managing Permissions Assigning Permissions in UNIX ls -l shows files in a directory in long format Only three permissions: read (only), write (change), and execute (run program) Format is rwx for all or various combinations (r-x is read and execute but not write) -rwxr-x---1 root... purple.exe drw-r brows... reports -rw-rw-r--1 lighter... bronze.txt rwx
50 Figure 6-13: Managing Permissions Assigning Permissions in UNIX ls -l shows files in a directory in long format Next three characters are permissions (rwx possible) for the file owner -rwxr-x---1 root... purple.exe drw-r brows... reports -rw-rw-r--1 lighter... bronze.txt purple.exe’s owner has all three permissions reports’ owner has only read and write permissions
51 Figure 6-13: Managing Permissions Assigning Permissions in UNIX Next three are permissions (rwx possible) for the group Next three are permissions for the rest of the world -rwxr-x---1 root... purple.exe drw-r brows... reports -rw-rw-r--1 lighter... bronze.txt purple’s group has read and execute permissions. purple has no permissions for the rest of the world.
52 Figure 6-13: Managing Permissions Assigning Permissions in UNIX Next comes the number of links Next comes the name of the owner Group might be shown (not here) -rwxr-x---1 root... purple.exe drw-r brows... reports -rw-rw-r--1 lighter... bronze.txt
53 Figure 6-13: Managing Permissions Assigning Permissions in UNIX Changing permissions umask (user mask) command sets the default permissions for future assignments chmod (change mode) changes permissions for the file chown (change owner) changes the ownership of a file
54 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10) The importance of logging to diagnose problems Failed logins, changing permissions, starting programs, kernel messages, etc. Windows 2000 Event Viewer (Figure 6-17)
55 Figure 6-17: Windows 2000 Event Viewer for Logging
56 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10) UNIX has many logging facilities controlled by syslog program (Figure 6-18) Syslog program sends log entries of different types to specific directories on the host or on other hosts The file syslog.config specifies which log entries and which severity levels should go to which directories on which hosts
57 Figure 6-18: syslog in UNIX Event From Internal System syslog … Login.Err HostA.. Restart.* /errors/restart.. 3. Host A 2. Login/Err 1. Event. Type=Login, Level=Err syslog.config Host Wishing to Do Remote Logging 4. Remote Logging Host A (Runs syslog)
58 Figure 6-16: Advanced Server Hardening Techniques Backup (Chapter 10) UNIX backup tar command (tape archive) Create tape archive of a file, group of files, directory tree in a.tar file Can use tar to look at table of contents of files in.tar file Can use tar to restore one, some, or all files
59 Figure 6-16: Advanced Server Hardening Techniques Backup (Chapter 10) Windows backup Start, Programs, Accessories, System Tools, Backup Note that Backup is under Accessories rather than under Administrative Tools like most MMCs GUI to create backups, restore backups
60 Figure 6-16: Advanced Server Hardening Techniques File Encryption Protects files even if attacker breaks in Key escrow: Copy of encryption key is kept elsewhere to protect in case of key loss Windows Encrypting File System (EFS) Select file in Windows Explorer, select Properties Click on General tab’s Advanced button Click on the box Encrypt contents to secure data
61 Figure 6-16: Advanced Server Hardening Techniques File Encryption Windows Encrypting File System (EFS) Encryption is transparent: Save, retrieve, copy files as usual Encrypted files generally cannot be sent over the network There is a Recovery agent (usually on the domain controller) for key escrow
62 Figure 6-16: Advanced Server Hardening Techniques File Integrity Checker Creates snapshot of files: a hashed signature (message digest) for each file After an attack, compares post-hack signature with snapshot This allows systems administrator to determine which files were changed Tripwire is the usual file integrity checker for UNIX (Figure 6-19)
63 Figure 6-19: Tripwire File Integrity Checker File 1 File 2 … Other Files in Policy List File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … File 1 Signature File 2 Signature … Tripwire 1. Earlier Time 2. After Attack Post-Attack Signatures 3. Comparison to Find Changed Files Reference Base
64 Figure 6-16: Advanced Server Hardening Techniques File Integrity Checker If applied to too many files, too many false alarms will occur Must be selective—core programs likely to be Trojanized during attacks Server Host Firewalls Rules can be specific to the server’s role ( , etc.)
65 Figure 6-20: Types of UNIX Vulnerability Assessment Tools External Audit Tool Host Assessment Tool Network Monitoring Tool Attack Packet Network Traffic Auditing Computer
66 Figure 6-21: Hardening Clients Importance of Clients Contain important information If taken over, can get in as user, passing through firewalls and other protections
67 Figure 6-21: Hardening Clients Enforcing Good Practice Patching Antivirus software Firewall software Limiting client software to an approved list (e.g., forbidding P2P file exchange products) Save passwords? File encryption
68 Figure 6-21: Hardening Clients Central Control is Desirable for Clients For example, Microsoft Group Policy Objects (GPOs) for home clients Require certain programs (antivirus, etc.), forbid programs not on list Even lock down desktop so use cannot add new software or even change the interface Central vulnerability scanning Difficult to enforce on personally owned home computers
69 Topics Covered Firewalls and other protections sometimes break down Computers must be hardened to survive when attackers reach them Defense in depth
70 Topics Covered Elements of Hardening Physical security (Chapter 2). Secure installation and configuration Fix known vulnerabilities Turn off unnecessary services (applications) Harden all remaining applications (Chapter 9) Manage users and groups Manage access permissions Back up the server regularly Advanced protections
71 Topics Covered Baselines are needed to specify everything that must be done to harden a server Server administrators are called systems administrators Each server has one or more sysadmins
72 Topics Covered Microsoft Network Operating Systems (NOSs) LAN Manager (LANMAN) Windows NT Server Windows 2000 Server Windows 2003 Server (called.NET in the book) Familiar Windows interface gives ease of learning and use
73 Topics Covered UNIX Many versions of UNIX LINUX distributions CLIs are difficult to use Other Novell NetWare Cisco IOS for routers and switches Firewalls, cable modems, etc.
74 Topics Covered Installation Many options affect security Need a baseline to guide installation
75 Topics Covered Patching vulnerabilities The most critical hardening step Fixes, patches, and upgrades Often not applied because of sysadmin overload Need to test patches before roll out Linux uses rpm to get patches Windows 2000 uses the Windows Update item on the start menu Automatic notification in Windows 2003
76 Topics Covered Turn Off Unnecessary Services To give attackers fewer targets Windows Server Computer management MMC GUI Unix inetd.config modification rc scripts ps –aux, netstat show process IDs (PIDs) kill PID kills the process with that PID
77 Topics Covered Managing Users and Groups Assign permission to users Can also assign permissions to groups Group members receive all assigned permissions Assign permissions for individuals and groups to individual directories
78 Topics Covered Managing Users and Groups Windows Server Computer Management: Local Users and Groups snap-in to manage users and groups Assign permission to directories by right clicking on them Windows has 6 standard permissions which can be subdivided into 13 special permissions Windows can assign permissions in a directory to many users and groups
79 Topics Covered Permissions in Unix Only three (read, write, and execute) Can only be assigned to a file or directory owner, a single group, and the rest of the world ls -l shows permissions chmod changes permissions for a file or directory chown changes the owner of a file or directory
80 Topics Covered File Integrity Checking Tripwire for Unix and Windows Host Firewall Protections tailored to host’s specific services Vulnerability Assessment Unix external audit, network monitoring, and host assessment tools
81 Hardening Clients Good Practice Many Aspects Patching Antivirus software Firewall software Limiting client software to an approved list Etc. Difficult to enforce Centralized management (e.g., Microsoft GPOs) can enforce policies